CVE-2022-29946: NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects

July 11, 2024 (updated July 12, 2024)

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

References

github.com/advisories/GHSA-2h2x-8hh2-mfq8
github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txt
nvd.nist.gov/vuln/detail/CVE-2022-29946

Code Behaviors & Features

Detect and mitigate CVE-2022-29946 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →